BSP orders PH banks to boost defenses amid ransomware attacks
MANILA — The Bangko Sentral ng Pilipinas on Tuesday said the global ransomware attack over the weekend had no impact on any Philippine financial institution, even as it urged all banks and non-banks to step up defenses.
Asked if BSP-supervised financial institutions were targeted during the cyber-extortion attacks, Deputy Governor Nestor A. Espenilla Jr. replied: “Targeted? Possible. Successfully attacked? That’s another matter—none so far.”
Reports said at least 100,000 groups in 150 countries had been hit by online extortion attacks as of Sunday.
Espenilla said the BSP had “previously alerted the system to the danger,” hence he was “sure” that “defensive initiatives have minimized the risk.”
Last week, the BSP issued Memorandum No. M-2017-017 that reminded banks to adopt multi-factor authentication (MFA) in response to “growing concerns on cyber-attacks involving fraudulent e-mails and websites aimed at customers and employees of financial institutions.”
Last April, the BSP ordered all financial institutions in the country to implement MFA, especially for sensitive transactions, by September amid bigger risks coming from cyber-attacks.
The BSP earlier explained that the MFA employed a combination of at least two authentication factors, namely: inherence or something that is inherent to the user such as fingerprint and retinal pattern; knowledge or something that the user knows such as password or PIN; and possession or something that the user has in his/her possession, including payment card or a one-time password generated through a security token or sent via SMS.
The MFA “provides for a more reliable authentication method and a stronger fraud deterrent mechanism that limits unauthorized access,” the BSP had said.
In a new memorandum issued just last Monday, the BSP reiterated the need to beef up cyber-defenses in light of the recent global ransomware attacks.
“With the alarming proliferation of ransomware, BSP-supervised financial institutions are at an increased risk of loss or unauthorized disclosure of proprietary or sensitive information, operational disruptions, financial losses incurred to restore affected systems and reputational damage. Given the perceived anonymity of threat actors in perpetrating ransom payment schemes, ransomware remains a viable threat that is expected to evolve to more sophisticated and destructive forms, such as crypto-ransom ware. Web-based applications, including legitimate cloud-based services, are particularly vulnerable to this type of threat,” Espenilla said in Memorandum No. M-2017-018 issued on May 15.
“In this regard, BSP-supervised financial institutions are advised to heighten their vigilance and ensure that robust protection against ransomware is in place. BSP-supervised financial institutions should provide multiple layers of defenses by implementing appropriate controls at the host, network, and endpoint level to prevent and detect malicious codes,” Espenilla said.
At a minimum, BSP-supervised financial institutions should apply the “least privilege” principle in granting access to all systems and services and prohibit the download and use of unauthorized files and software (such as executable files and mobile codes), and access to doubtful websites.
Other preventive measures include installation and timely update of anti-malware software provided by reputable vendors and periodic vulnerability scanning and effective patch management procedures for all critical systems and applications.
To address the more sophisticated forms of ransomware, BSP-supervised financial institutions should consider adopting advanced security solutions such as signature-less anti-malware solutions capable of analyzing abnormal behavioral patterns in network and system traffic flows. “Likewise, application whitelisting which allows only specified programs to run and/or sandboxing technologies which can inspect incoming traffic such as e-mail attachments without compromising the production environment can be employed,” Espenilla added.
“To mitigate the potential catastrophic impact of ransomware attacks, BSP-supervised financial institutions should ensure that adequate back-up and recovery procedures for critical systems and data, including periodic testing to check the integrity thereof, are in place. Because back-ups may also be subject to attacks, BSP-supervised financial institutions should consider supplementing existing practices with cloud-based back-ups and/or back-ups using removable media or air-gapped facilities. Alongside these controls, BSP-supervised financial institutions should strengthen user education and awareness to include employee safe practice procedures when using the email service and browsing the web,” according to Espenilla.
“If infected by a ransomware, BSP-supervised financial institutions should refrain from paying or communicating with the malicious actor as this does not guarantee that ransomed and/or encrypted files will be released,” BSP said.
Also, “paying ransom only encourages cyber criminals’ illicit activities,” the BSP added.
“BSP-supervised financial institutions should proactively monitor the cyber-threat environment through robust, timely and actionable threat intelligence. Additionally, ransom ware attacks should be covered by an established and well-tested incident response plan and procedures,” the BSP said.
“Incidents involving cyber-extortion using ransomware, and other types of cyber-related crimes should be promptly reported to the BSP… In some instances, BSP-supervised financial institutions may need to seek
assistance and cooperate with enforcement authorities for prompt resolution of cybercrime cases, especially if these involve public safety and security, pursuant to the Cybercrime Prevention Act of 2012 and other relevant laws and regulations,” according to the BSP.
For Espenilla, “BSP-supervised financial institutions should continuously assess the cyber-threat landscape and adjust their information security programs, policies, processes, and capabilities accordingly.”
“BSP-supervised financial institutions may refer to leading security standards and frameworks set by standard-setting bodies, including specific inputs from their third-party service providers and security vendors, to effectively prevent, detect, respond to, and recover from these types of attacks,” Espenilla said. SFM
Subscribe to INQUIRER PLUS to get access to The Philippine Daily Inquirer & other 70+ titles, share up to 5 gadgets, listen to the news, download as early as 4am & share articles on social media. Call 896 6000.